From 2a5aa49b209ad8ffcdbe6561f4cfdccf317b6ea0 Mon Sep 17 00:00:00 2001 From: rigazilla Date: Tue, 21 Nov 2023 16:16:03 +0100 Subject: [PATCH] Enabing TLS on endpoint and transport. Fixes #102 --- .github/workflows/test-chart.yml | 16 ++- CONTRIBUTING.md | 1 + README-tls.md | 5 + README.md | 2 + README.md.tpl | 2 + .../assembly_configuring_encryption.adoc | 12 ++ documentation/asciidoc/titles/stories.adoc | 1 + .../topics/proc_configuring_servers.adoc | 5 - .../topics/proc_enabling_encryption.adoc | 44 +++++++ .../topics/yaml/endpoint_encryption.yaml | 12 ++ .../asciidoc/topics/yaml/tls_secretname.yaml | 4 + .../topics/yaml/transport_encryption.yaml | 19 +++ templates/helpers.tpl | 18 ++- templates/statefulset.yaml | 24 +++- test/tls_secret.yaml | 115 ++++++++++++++++++ test/tls_values.snippet.yaml | 56 +++++++++ test/transport_tls_secret.yaml | 115 ++++++++++++++++++ values.schema.json | 96 ++++++++++++++- values.schema.json.tpl | 96 ++++++++++++++- values.yaml | 5 +- 20 files changed, 635 insertions(+), 13 deletions(-) create mode 100644 README-tls.md create mode 100644 documentation/asciidoc/stories/assembly_configuring_encryption.adoc create mode 100644 documentation/asciidoc/topics/proc_enabling_encryption.adoc create mode 100644 documentation/asciidoc/topics/yaml/endpoint_encryption.yaml create mode 100644 documentation/asciidoc/topics/yaml/tls_secretname.yaml create mode 100644 documentation/asciidoc/topics/yaml/transport_encryption.yaml create mode 100644 test/tls_secret.yaml create mode 100644 test/tls_values.snippet.yaml create mode 100644 test/transport_tls_secret.yaml diff --git a/.github/workflows/test-chart.yml b/.github/workflows/test-chart.yml index 3da574c..c0aa7f3 100644 --- a/.github/workflows/test-chart.yml +++ b/.github/workflows/test-chart.yml @@ -13,6 +13,8 @@ jobs: - uses: actions/checkout@v2 - uses: azure/setup-helm@v3.4 + with: + token: ${{ secrets.GITHUB_TOKEN }} id: install - name: Lint @@ -34,4 +36,16 @@ jobs: run: | kubectl create namespace helm-test helm install example-infinispan . -n helm-test --set deploy.replicas=2 - kubectl wait --for=condition=Ready pods -lapp=infinispan-pod -n helm-test --timeout=300s \ No newline at end of file + kubectl -n helm-test rollout status --watch --timeout=300s statefulset/example-infinispan + helm uninstall example-infinispan -n helm-test + kubectl delete namespace helm-test + + - name: Testing TLS + run: | + kubectl create namespace helm-test + kubectl apply -f test/tls_secret.yaml -n helm-test + kubectl apply -f test/transport_tls_secret.yaml -n helm-test + helm install example-infinispan . -n helm-test -f values.yaml -f test/tls_values.snippet.yaml --set deploy.replicas=2 + kubectl -n helm-test rollout status --watch --timeout=300s statefulset/example-infinispan + helm uninstall example-infinispan -n helm-test + kubectl delete namespace helm-test diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 5025549..10946b7 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -4,6 +4,7 @@ All PRs that require modifications to the `README.md` or `values.schema.json` fi The `brand.sh` script should then be executed using the upstream properties, i.e. `./brand.sh infinispan.conf`, and all modified `*.tpl`, `*.md` and `*.json` files added to the commit. + # Creating a Release 1. Update `Chart.yaml` - `.version` should be set to the version of the chart released diff --git a/README-tls.md b/README-tls.md new file mode 100644 index 0000000..b3ba093 --- /dev/null +++ b/README-tls.md @@ -0,0 +1,5 @@ +## Quickstart: deploy a TLS cluster with HELM + +kubectl apply -f test/tls_secret.yaml
+kubectl apply -f test/transport_tls_secret.yaml
+helm install infinispan . -f values.yaml -f test/tls_values.snippet.yaml --set deploy.replicas=2 diff --git a/README.md b/README.md index 2c49f15..ed927e9 100644 --- a/README.md +++ b/README.md @@ -46,4 +46,6 @@ Configure your Infinispan cluster by specifying values in the `deploy.*` section | `deploy.monitoring.enabled` | Enable or disable `ServiceMonitor` functionality. | false | Users must have `monitoring-edit` role assigned by the admin to deploy the Helm chart with `ServiceMonitor` enabled. | | `deploy.nameOverride` | Specifies a name for all Infinispan cluster resources. | Helm Chart release name | Configure a name for the created resources only if you need it to be different to the Helm Chart release name. | | `deploy.securityContext` | Defines the securityContext settings used by the cluster's StatefulSet | `{}` | - | +| `deploy.ssl.endpointSecretName` | Specifies the name of the secret that contains certificate for endpoint encryption | `""` | - | +| `deploy.ssl.transportSecretName` | Specifies the name of the secret that contains certificate for transport encryption | `""` | - | | `deploy.infinispan` | Infinispan Server configuration. | - | You should not change the default socket bindings or the security realm and endpoints named "metrics". Modifying these default properties can result in unexpected behavior and loss of service. | diff --git a/README.md.tpl b/README.md.tpl index 61c38ed..2798c66 100644 --- a/README.md.tpl +++ b/README.md.tpl @@ -46,4 +46,6 @@ Configure your {brandname} cluster by specifying values in the `deploy.*` sectio | `deploy.monitoring.enabled` | Enable or disable `ServiceMonitor` functionality. | false | Users must have `monitoring-edit` role assigned by the admin to deploy the Helm chart with `ServiceMonitor` enabled. | | `deploy.nameOverride` | Specifies a name for all {brandname} cluster resources. | Helm Chart release name | Configure a name for the created resources only if you need it to be different to the Helm Chart release name. | | `deploy.securityContext` | Defines the securityContext settings used by the cluster's StatefulSet | `{}` | - | +| `deploy.ssl.endpointSecretName` | Specifies the name of the secret that contains certificate for endpoint encryption | `""` | - | +| `deploy.ssl.transportSecretName` | Specifies the name of the secret that contains certificate for transport encryption | `""` | - | | `deploy.infinispan` | {brandname} Server configuration. | - | You should not change the default socket bindings or the security realm and endpoints named "metrics". Modifying these default properties can result in unexpected behavior and loss of service. | diff --git a/documentation/asciidoc/stories/assembly_configuring_encryption.adoc b/documentation/asciidoc/stories/assembly_configuring_encryption.adoc new file mode 100644 index 0000000..f9cd7ab --- /dev/null +++ b/documentation/asciidoc/stories/assembly_configuring_encryption.adoc @@ -0,0 +1,12 @@ +ifdef::context[:parent-context: {context}] +[id='encryption'] +:context: network-access += Configuring encryption +[role="_abstract"] +Configure encryption for your {brandname}. + +include::{topics}/proc_enabling_encryption.adoc[leveloffset=+1] + +// Restore the parent context. +ifdef::parent-context[:context: {parent-context}] +ifndef::parent-context[:!context:] diff --git a/documentation/asciidoc/titles/stories.adoc b/documentation/asciidoc/titles/stories.adoc index 62f93ef..24830a9 100644 --- a/documentation/asciidoc/titles/stories.adoc +++ b/documentation/asciidoc/titles/stories.adoc @@ -1,5 +1,6 @@ include::{stories}/assembly_installing_helm_chart.adoc[leveloffset=+1] include::{stories}/assembly_configuring_servers.adoc[leveloffset=+1] include::{stories}/assembly_configuring_authentication.adoc[leveloffset=+1] +include::{stories}/assembly_configuring_encryption.adoc[leveloffset=+1] include::{stories}/assembly_network_access.adoc[leveloffset=+1] include::{stories}/assembly_connecting_clusters.adoc[leveloffset=+1] diff --git a/documentation/asciidoc/topics/proc_configuring_servers.adoc b/documentation/asciidoc/topics/proc_configuring_servers.adoc index 0ba6d84..805b178 100644 --- a/documentation/asciidoc/topics/proc_configuring_servers.adoc +++ b/documentation/asciidoc/topics/proc_configuring_servers.adoc @@ -27,8 +27,3 @@ For example, you can create caches at startup with any {brandname} configuration * Configure {brandname} Server endpoints with the `deploy.infinispan.server.endpoints` fields. * Configure {brandname} Server network interfaces and ports with the `deploy.infinispan.server.interfaces` and `deploy.infinispan.server.socketBindings` fields. * Configure {brandname} Server security mechanisms with the `deploy.infinispan.server.security` fields. -+ -[NOTE] -==== -The {brandname} chart does not currently support TLS/SSL security realms and encrypted client connections. -==== diff --git a/documentation/asciidoc/topics/proc_enabling_encryption.adoc b/documentation/asciidoc/topics/proc_enabling_encryption.adoc new file mode 100644 index 0000000..fd03ebd --- /dev/null +++ b/documentation/asciidoc/topics/proc_enabling_encryption.adoc @@ -0,0 +1,44 @@ +[id='enabling-encryption_{context}'] += Enabling TLS encryption + +[role="_abstract"] +Encryption can be independently enabled for endpoint and cluster transport. + +.Prerequisites +* A secret containing a certificate or a keystore. Endpoint and cluster should use +different secrets. + +.Procedure + +.Set the secret name in the deploy configuration + +Provide the name of the secret containing the keystore. +[source,yaml,options="nowrap",subs=attributes+] +---- +include::yaml/tls_secretname.yaml[] +---- + +.Enable cluster transport TLS + +[source,yaml,options="nowrap",subs=attributes+] +---- +include::yaml/transport_encryption.yaml[] +---- +<1> Configures the transport stack to use the specified security-realm to provide cluster encryption. +<2> Configure the keystore path in the transport realm; secret is mounted at `/etc/encrypt/transport`. +<3> Configures the truststore with the same keystore, this allow the nodes to authenticate each other. +<4> Alias and password must be provided in case the secret contains a keystore. + +.Enable endpoint TLS + + +[source,yaml,options="nowrap",subs=attributes+] +---- +include::yaml/endpoint_encryption.yaml[] +---- +<1> Configure the keystore path in the endpoint realm; secret is mounted at `/etc/encrypt/endpoint`. +<2> Alias and password must be provided in case the secret contains a keystore. + +[role="_additional-resources"] +.Additional resources +* link:{security_docs}[{brandname} Security Guide] diff --git a/documentation/asciidoc/topics/yaml/endpoint_encryption.yaml b/documentation/asciidoc/topics/yaml/endpoint_encryption.yaml new file mode 100644 index 0000000..95c5e81 --- /dev/null +++ b/documentation/asciidoc/topics/yaml/endpoint_encryption.yaml @@ -0,0 +1,12 @@ +deploy: + infinispan: + server: + security: + securityRealms: + - name: default + serverIdentities: + ssl: + keystore: + path: "/etc/encrypt/endpoint/keystore.p12" #<1> + alias: "server" #<2> + password: "password" #<2> diff --git a/documentation/asciidoc/topics/yaml/tls_secretname.yaml b/documentation/asciidoc/topics/yaml/tls_secretname.yaml new file mode 100644 index 0000000..11f27d1 --- /dev/null +++ b/documentation/asciidoc/topics/yaml/tls_secretname.yaml @@ -0,0 +1,4 @@ +deploy: + ssl: + endpointSecretName: "tls-secret" + transportSecretName: "tls-transport-secret" \ No newline at end of file diff --git a/documentation/asciidoc/topics/yaml/transport_encryption.yaml b/documentation/asciidoc/topics/yaml/transport_encryption.yaml new file mode 100644 index 0000000..f5c4252 --- /dev/null +++ b/documentation/asciidoc/topics/yaml/transport_encryption.yaml @@ -0,0 +1,19 @@ +deploy: + infinispan: + cacheContainer: + transport: + urn:infinispan:server:14.0:securityRealm: > + "cluster-transport" #<1> + server: + security: + securityRealms: + - name: cluster-transport + serverIdentities: + ssl: + keystore: #<2> + alias: "server" + path: "/etc/encrypt/endpoint/cert.p12" + password: "password" + truststore: #<3> + alias: "server" #<4> + path: "/etc/encrypt/endpoint/cert.p12" #<4> diff --git a/templates/helpers.tpl b/templates/helpers.tpl index 6ae6f3c..4116e53 100644 --- a/templates/helpers.tpl +++ b/templates/helpers.tpl @@ -90,4 +90,20 @@ Include for indentation {{- if .env -}} {{ .env | toYaml | nindent 0 }} {{- end -}} -{{- end }} \ No newline at end of file +{{- end }} + +{{/* +Schema for default endpoint +*/}} + +{{- define "infinispan-helm-charts.defaultEndpointSchema" -}} + {{- range .Values.deploy.infinispan.server.security.securityRealms }} + {{- if eq .name "default" }} + {{- if and .serverIdentities .serverIdentities.ssl -}} + HTTPS + {{- else -}} + HTTP + {{- end -}} + {{- end -}} + {{ end -}} +{{ end }} diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml index fff117e..2e2b8ed 100644 --- a/templates/statefulset.yaml +++ b/templates/statefulset.yaml @@ -93,7 +93,7 @@ spec: httpGet: path: rest/v2/cache-managers/default/health/status port: 11222 - scheme: HTTP + scheme: {{ include "infinispan-helm-charts.defaultEndpointSchema" . }} initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 @@ -104,7 +104,7 @@ spec: httpGet: path: rest/v2/cache-managers/default/health/status port: 11222 - scheme: HTTP + scheme: {{ include "infinispan-helm-charts.defaultEndpointSchema" . }} initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 @@ -114,7 +114,7 @@ spec: httpGet: path: rest/v2/cache-managers/default/health/status port: 11222 - scheme: HTTP + scheme: {{ include "infinispan-helm-charts.defaultEndpointSchema" . }} initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 @@ -137,6 +137,14 @@ spec: name: data-volume - mountPath: /etc/security name: identities-volume + {{- if and .Values.deploy.ssl (ne .Values.deploy.ssl.transportSecretName "")}} + - mountPath: "/etc/encrypt/transport" + name: "transport-encrypt-volume" + {{- end }} + {{- if and .Values.deploy.ssl (ne .Values.deploy.ssl.endpointSecretName "")}} + - mountPath: "/etc/encrypt/endpoint" + name: "encrypt-volume" + {{- end }} volumes: - configMap: name: {{ printf "%s-configuration" (include "infinispan-helm-charts.name" .) }} @@ -144,6 +152,16 @@ spec: - name: identities-volume secret: secretName: {{ include "infinispan-helm-charts.secret" . }} + {{- if and .Values.deploy.ssl (ne .Values.deploy.ssl.transportSecretName "")}} + - name: "transport-encrypt-volume" + secret: + secretName: {{ .Values.deploy.ssl.transportSecretName }} + {{- end }} + {{- if and .Values.deploy.ssl (ne .Values.deploy.ssl.endpointSecretName "")}} + - name: "encrypt-volume" + secret: + secretName: {{ .Values.deploy.ssl.endpointSecretName }} + {{- end }} {{- if .Values.deploy.container.storage.ephemeral }} - name: data-volume emptyDir: { } diff --git a/test/tls_secret.yaml b/test/tls_secret.yaml new file mode 100644 index 0000000..daadf47 --- /dev/null +++ b/test/tls_secret.yaml @@ -0,0 +1,115 @@ +apiVersion: v1 +kind: Secret +metadata: + name: tls-secret +type: Opaque +stringData: + # Create a secret to encrypt traffic between endpoints and clients. + # The secret must contain either a keystore or a TLS certificate/key pair. + # Specify an alias for the keystore. + alias: server + # Specify a password for the keystore. + password: password +data: + # Add a base64 encoded PKCS12 keystore. + keystore.p12: "MIIKDgIBAzCCCdQGCSqGSIb3DQEHAaCCCcUEggnBMIIJvTCCBFcGCSqGSIb3DQEHBqCCBEgwggRE\ +AgEAMIIEPQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI0SFmZLO2udkCAggAgIIEEAi0AiOf\ +TGOWk7qxTbu8uckd1+hoRDvYyoEcBiigS6koRLfOhVotL+0bLS+xjl4WIS492+2h47Ew0tyK2/DP\ +izDOW+ybIepP3tnZr9OtUsW1AkgV88R+QqQjlvrXvVLaVEwBIN3OwZZ1OsQUDatfMKUkX67i9hX9\ +0ayE9idxgNPyPEJ5fpApvH1Gi9jKcLR+QJSBCbWw2MckrUC9al1/8Fp6aGjgy16bGhBc5Py02hC9\ +Oao4BYnMsg/HS4AuvHAIHD4hL9gd6jPCPnJ41mgA38ypEyoDxBDWYALoNpdkBLF6yqOYsl8OOdD7\ +XNxELqhF1KAUCRzzhFmXwBAtrQb/s+00TCPFBDhOi4tkABMqu/iAyb/17qh2hcnF1EoC8shyBKO3\ +gPVP5tj71Yzuih79wJ1VAXDnqezDZGLFHNI4toJewO4v3MZffi9L0tf3yPnlE2UB97jSrHUmbBGB\ +BMrOwo5GzjMPteQXfuzxpjkDmZJat6gXmC/+Zmpjh1iPpUh+pKkPCmSNG3s54A0tsr1yn4ekvuHb\ +BQmFarkS+BmUmXoNecEwjpjhiXiDwNov9ntDu66JExwY1Hb5kFrWfymxzkt89yGIqICwq/B3RuHI\ +w+ZSOQ2SV8ydwltgu0CTA6BFcY/C352NQqpvWWO4/L4XaN1iFaSSaE6mljGTD2HGhRx4AU2F3EuS\ +USMJWKP8dIqVstTNqQ1kDeo+cOKApZ6o1RhvqBLKIs7HlGDUilaczzmL8tp6PLxohPMUoNMHPrxH\ +mDc71nnV1Jy9lFVgnoEOXgzFLX7WjxS6fuRbTVejqtSEoxOQ5kVGuh1TNqBtzNRyAJxEFExzNCjf\ +RU+uiI0iMFSQPb/I2ZP0r18VhbpJoxuYthccBPdtTFuBGyh2lQbwXFXciao/rSatpYJcfY23+OZ7\ ++PVHx/PiyiP19DYL0wkXIIT8X/PnzQ2Idn0hPdidfXQp6eO+8Sio7EAcEw/jPv6T9yxfptTtll3H\ +0bOSxgQJdap32YKRzJ8a9amrPpXIP/04XEGaqA1KIVa9jlAWmtPSnjMBoa67wK0/6y1P92daFNxH\ +lzms09eJsUyOMbZ6uGhNn5VT2PLc5lJ2iBZ+9D54X+XSzpB/72Lau5uTfn1VtC8F2Lp7rY96OxHV\ +hFmS0oYiJ9B8uZgRdr3hxMdlvBBiJ10WhpQiWW6Brcqx/qfKnhvpBjWvBOgJPTor0F2tjmcbGOdq\ +NLRELkpLVpwW3hTyFf1NCwOnLvHhd+Ji5Df7ihxLFiOSLNi3dnsEoAAqwyxkhVUQfhnbPlwEhgN2\ +ZGbuD4mtTMT6p36uuW9GlLsqUjn8+tsUZy+EYbX66Oe7LTjc6zaVd9BSXV5VEGdxKhwz04N8adkv\ +XObwTE0RZ1WiMIIFXgYJKoZIhvcNAQcBoIIFTwSCBUswggVHMIIFQwYLKoZIhvcNAQwKAQKgggTu\ +MIIE6jAcBgoqhkiG9w0BDAEDMA4ECIpn2KNHrPtmAgIIAASCBMg/KMMjSDlXIUtA0LwssuLw0I8i\ +q0xnFNew5JAIZh7dE3cTUkUOuL2j/LFNyzyGiIE+1KlsHgyNDcCp0E7gpqTZ1dzsn1h4MIYjSab/\ +yx6LxLMBeYlEhXXJn2aadPpjVmtCi8/1GYGR0FGyzyEHpPRqJGS1CEKPMs9sacPV2Czx5kfz9Zq3\ +JUo+XuNxnjDVus/E/ilGjKewU3ocaWUl6rlpMALW9M0bclrcfFBdJhOHUBPKdMYSM5tnCcCd0zIR\ +Ci3mzl0JylPZ31vzwjMoXg/HSbpscBtkl8JdBCrLw05YP/Ew23LdqSEjJL4OKDZ3qvii/ErxHbmY\ +TVmERrX90n0hTov/n3I+zKnrQo90y02DAulIeayI+5mmkwaZA0pW8nDcuGA8YqKUd9QYw5L+B73C\ +wfgjARhnzqr0qNZ4L00cJW/z7opprDX5f2lBYcPksZnmVamZtnz4xy7R59uPp/K3lHDBRKerLzcc\ +pzDFAqRk+P71V0aPGSVx6G6KqlwOquffRe4FVQF+tM7Qz4wWYR9GJrleW2y/aIw2RdiYMyL0wxww\ +cYJSr/X0f6zfytbi7rmSUF2p/OZM4e+x3nhAQ9JPXkx81G2N3vWhr5grqgAyyoXqU1yRZB2tpNKC\ +JCQRqwSMWZEJQqVUtsWb7K+DJ4wp4fLCT5HBveFNEYWLSRGwtgZAE0pviyLfrjoulDENmjg3V3kB\ +4UMxD2+2qDnJba1BLLrGaYmchYrk+wwTOw18cvFJi3aw0OookIAc99I6R0ahox9HtC4trGtyDH9a\ +XlR1MXh7wRM1waOMBpJBIpMEEJOglmkbccT+Tue90hgBfmLRSBGSJXn9b5ysv0HFgdqcgGg3Trbd\ +Av1x7NVWX4ZHhgwU5VEtZn34HHghFKQAeN67YXcC7fVmj2N+sfYMXPNME71BGcRJXNkywf8zi8VG\ +EYYjw/neeF3EdkgY20OxeHRCmRAl3QoeT6HHIHMLmzbefa8PM9zrI4D4qHybv7Y4+yncVH0V7fkZ\ +vY1SAdR/ViNQIpBfu9XnBPlys1ua0ChVwCLWgZFPrZZZ7zlFCPoFjA5NY4fUhcYp5+qUel/wRWpf\ +QJCMZaCIuVOWrU1LblNEisrv7TPlgO0QUUd9hEU4rnsNhi2M1evEyvs0vh99F4gbgHLrZ09uskh9\ +xd/nrS7X2TWM/wzZtlJmxCp7cMf0c95J85d6Ul04Sh3UeNQNfW53prb7N7MLDU3wD1obMzoIUD8V\ +l8HkCAmsK/O6/2E3s/Ul27PCfFAyzGtLt9ROs4jOixw7U9jDp2lgYcMEw3us3QlujK+9v4akgZ2L\ +muuC7ZR4PAHWwBgXhbll0MszJwjqMGIJonACRJ6D5atrAX6xtT1sGtb5qrgK2Cr8snIfLzXsTItZ\ +LO38A4HO4KAiKWEQUqX8bZPGLcXwv40T+eVWUGkjRSbudGsWdP2TW1MVAnGkg8EkCh6m461crUDW\ +6qqN1SX7FhuVw+AYNx2wSA/y6BFPbGN13yyXE6eMOmaiCMo48shiq4XGPAoDVQc0evoV0pol2r/Z\ +ml2TpGvzglLwxOagHcgZhg/GgK5+GLS7Q+fRJTqEWFflGfPJbufBw8034/YSgmCbEBsrcKX9Mm65\ +bR3yKsH2nG8xQjAbBgkqhkiG9w0BCRQxDh4MAHMAZQByAHYAZQByMCMGCSqGSIb3DQEJFTEWBBTu\ +lpkrq3GNR8G+xtwNjl1Tmn929jAxMCEwCQYFKw4DAhoFAAQUXHJcz5qgvy8FMgIX/MYvjQx/QwkE\ +CKUEybBaG1X/AgIIAA==" + # Add a TLS key. + tls.key: "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZB\ +QVNDQktjd2dnU2pBZ0VBQW9JQkFRREdyeU45T2pYL05wUTkKTDQ0MkVjQzhuY0IyT0JRbGpnL0x6\ +WVhNZ1hOK2oxdlI1MUc4bHlsVlFuNytYd1RkZDZ4ZFhzMmtBTW5FdTVjSQpPR2N4N3FVTmZhWUtn\ +a1dRVTFCZXpHSmRkT1g2bm9rVktGTUpvVHU2ZXJYbG0zbG5JZlJ2N3JVa09manhvdk0vCmpMei93\ +MUpxbmZyZTVUcmZ1Q0hXdkdoekNocUhBWXpoN05BQ3p6cUlzQTY1eDdWSjRzM0o3Q05VTmI4TkZJ\ +ZlcKY2J1VGRHaVVTWllQMzZqVms1N3Z5b09yYkpTRmxxMDRhRXNwb3hBc3h4b1B4dlNyZm4yTlNa\ +VFZEZEx3YWVCRgo2YXYyamxKUVE5YTNhdnR2d2xoc3pEZ2k5d1ZBTGJYVDh6TzlGNUl6M3lBRFpO\ +cEpmdFBJZExEOGdWdktaZThxCjBpK2cwcUVaQWdNQkFBRUNnZ0VBSE9kUnBHQVpodDByeDVMcGYx\ +Z3B6OGFyUHdkOWR0RXAzeDR3L3NVK1JnVVkKK0hwTVc4RXAxQ3R1U2hjTW9DTk93ZTZPdi9NVlp6\ +ZGJDMmtaS2h4cmlvRGk3Tmh5d2tJOGlPMzJ5VjIrTHkxdApCOVRyNzVTekdiZk1TbkRKd29VZ0NF\ +Q1R2WWRwZmMyVTBZUHA0dE5KWkJWRGI3V3RVT3A2a2NDcStVRlpCcGFqClU1UWJhWUQxUTUveGdE\ +TXVxZksyNWJteFdhYjBuTnBxRG41Zkx6cGhLMnNLcFNkOFg1SmhkNEJ0ZW1wZittWjUKYzYvMjRw\ +UkI3dXNPQkFpQVluYjZzVFQ3RHhTeUw5Ym1hTkpGaG5iVFJSUEJCWnlTcVNoMnJqaG8rQUV6MjY4\ +LwpMaHovUms1VnNac2N0Vjk0UnB1RzFlYlhCQW1EVUNtN0pDYkZzWmtWbVFLQmdRRDBCZUNoZ01s\ +eS94dWdnSWZnCmE1TXl6MGxzRm1PSjJKZlluR0tMYUdiMWJuYTgrSWcrNXE3eE9qY1Y1bHNwMjZT\ +N2JpVnVXRXlTbDgzdWE0cWcKUGQzQlRkVnBUS2pJazVlSmxaYXg5aWlWeUYwcFBralNhSTBVMExB\ +RzdWbVJUNzY2K09naFh2T1JLZENCdll1cAp1K1N4MnZOK2x4S3pPeG82ZHU3dmpzSnBid0tCZ1FE\ +UWI1VnJNOFNlSGZzdjN3Sy9vQ1BlYXVscHhDMDUvVnhVCnhIQnp2Smtla2xuTkFMcXJOUUl2NHl3\ +VUs5dlBtcEx5M0JzcE9NcStKNDRDUXVtcm5YNXhLcTRBSTdXQnJOenAKVGQ1OGlGemg5dEt5bDRv\ +NmZSdlFQUWNBWWZmL3dieUF6cFJhRkU5bFRiTmVnOUQ3aS9GT2hDWWxlK3RmaUhLTgpMa2N4NGhZ\ +Sjl3S0JnUURhdFJIWmJrWWZUVW9EbG04eDB2akJCMHYxRmpQc2JqWGFMSCtlRnRxQWlwcmRUNXM5\ +ClZSL2lrSnlpZ2kyZTNIOU9oYkFDc0IwaEhmR3lDS3pjWmRhRTFDKzhDcnNUMmtSdFNhY2dwVkZH\ +dmFmUnVVTW4KWWhGZ1lKSUVBMkxOZkQyajhrYUs4a0UzRDlVVEUwRkR4V1Y1aXBYR0ZienE2c1Bk\ +Tm85OEllVlkvUUtCZ0JFego5SEFab0xPd0k4Z3FyczVrQ0RIV1B4ZUVvbnJ6eDBnVHduZzY2NlJU\ +VGVnV2xGR0hHWHdjVXNvRGFLdjB4UVlZClZvR0xkMmhFV1hza1RLYm1ZOFl4VUpVZ1hWMnJoN3dW\ +dWpRckNRZDVXS0IyMDJqS1pKNUdPeXF6NjBVSGwyaEcKSklaZXdNTEtxL0EwRHU2RCtWR1NwSmRa\ +Wis3Rmt6YkZ5QWg4OFhhM0FvR0FCN01OUjBQdHh6VkFPUWJ4Z21DZQoxUGJlN1BSNW9xOTN0YnZ3\ +NGVnNXhrWW5maWhuemR6c1hsTTQ0Z1MyY2QvRXZnc3UwR2s4RzIwaWQ2bWJkRDZmCjg0TXNFdnYz\ +ci9qVTliYllReFdhUXZhY0o5SzdUdUNndFhFbkJBWmc2Q0d6RVBvckhpcUlHbFcrTGtobUFHVWcK\ +S2JkRERURUFIUlh0VGg5bjFUSU9YbEU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K" + # Add a TLS certificate. + tls.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURrekNDQW51Z0F3SUJBZ0lVZUtneEFpVTlw\ +WW9jYkxQY0MvcTFIZ21OUUlFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1dURUxNQWtHQTFVRUJoTUNh\ +WFF4Q3pBSkJnTlZCQWdNQW0xcE1Rc3dDUVlEVlFRSERBSnRhVEVUTUJFRwpBMVVFQ2d3S2FXNW1h\ +VzVwYzNCaGJqRU1NQW9HQTFVRUN3d0RaVzVuTVEwd0N3WURWUVFEREFScGMzQnVNQjRYCkRURTVN\ +RGt4TWpFeU1ERXlNVm9YRFRJNU1Ea3dPVEV5TURFeU1Wb3dXVEVMTUFrR0ExVUVCaE1DYVhReEN6\ +QUoKQmdOVkJBZ01BbTFwTVFzd0NRWURWUVFIREFKdGFURVRNQkVHQTFVRUNnd0thVzVtYVc1cGMz\ +QmhiakVNTUFvRwpBMVVFQ3d3RFpXNW5NUTB3Q3dZRFZRUUREQVJwYzNCdU1JSUJJakFOQmdrcWhr\ +aUc5dzBCQVFFRkFBT0NBUThBCk1JSUJDZ0tDQVFFQXhxOGpmVG8xL3phVVBTK09OaEhBdkozQWRq\ +Z1VKWTRQeTgyRnpJRnpmbzliMGVkUnZKY3AKVlVKKy9sOEUzWGVzWFY3TnBBREp4THVYQ0Robk1l\ +NmxEWDJtQ29KRmtGTlFYc3hpWFhUbCtwNkpGU2hUQ2FFNwp1bnExNVp0NVp5SDBiKzYxSkRuNDhh\ +THpQNHk4LzhOU2FwMzYzdVU2MzdnaDFyeG9jd29haHdHTTRlelFBczg2CmlMQU91Y2UxU2VMTnll\ +d2pWRFcvRFJTSDFuRzdrM1JvbEVtV0Q5K28xWk9lNzhxRHEyeVVoWmF0T0doTEthTVEKTE1jYUQ4\ +YjBxMzU5alVtVTFRM1M4R25nUmVtcjlvNVNVRVBXdDJyN2I4SlliTXc0SXZjRlFDMjEwL016dlJl\ +UwpNOThnQTJUYVNYN1R5SFN3L0lGYnltWHZLdEl2b05LaEdRSURBUUFCbzFNd1VUQWRCZ05WSFE0\ +RUZnUVV3d3N3Ck0ycjY3MVZjR1R5L083WkllZXJnTUVBd0h3WURWUjBqQkJnd0ZvQVV3d3N3TTJy\ +NjcxVmNHVHkvTzdaSWVlcmcKTUVBd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBTkJna3Foa2lHOXcw\ +QkFRc0ZBQU9DQVFFQWhvb3IxbWlPWFBnVQpmMDJQRG9yN1lXdlhCNTllcEpxTzlQVENlK0l4cmps\ +VDROWEZHb1VoOTdQSFVBY3R5cnBScnM1UWRZNncxbWFyClY3UWdhSFZMaGtXWFRlb01vY1hYOERV\ +UkZvRHJoS0wrcWhsUlBoNTZVdDRLVEdCS1UyK0p5UzNsVklQc3J4MnkKUXZFOHFYNWhOVDdFU2JM\ +c3l6aHNoUXdSbjlQRXJ4b3NoeGhwUEkySnRIeFN6Y2U5V1VvMkd6TUlYd3VwMTJwTQpJTFZoWmF2\ +d0xzd1RXbzBYemlaVVRNaWxkQys0U0gxZmRTb1M5aG9rdllZOEpJc1orT1RvYTFYRmY3LzkySytN\ +CnZ3b29JK0FsTWQvNXpCNW9weVI1MjdlYVQyaE9vQ0s4d1IyL0VNNjh2OTdacHVVWG5ySkhzYity\ +ZENIQVdVdXkKT05hUFJSUjNydz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" diff --git a/test/tls_values.snippet.yaml b/test/tls_values.snippet.yaml new file mode 100644 index 0000000..8df6d8e --- /dev/null +++ b/test/tls_values.snippet.yaml @@ -0,0 +1,56 @@ +deploy: + ssl: + endpointSecretName: "tls-secret" + transportSecretName: "transport-tls-secret" + infinispan: + cacheContainer: + transport: + stack: "kubernetes" + urn:infinispan:server:14.0:securityRealm: "cluster-transport" + server: + security: + securityRealms: + - name: default + # [USER] Comment or remove this properties realm to disable authentication. + propertiesRealm: + groupProperties: + path: groups.properties + groupsAttribute: Roles + userProperties: + path: users.properties + serverIdentities: + ssl: + keystore: + alias: "server" + path: "/etc/encrypt/endpoint/keystore.p12" + password: "password" + # [METRICS] Security realm for the metrics endpoint. + - name: "cluster-transport" + # Security realm for cluster transport. This setup is for encryption only, no authentication. + # All the cluster server will use the same certificate both for key and trust store. + propertiesRealm: + groupProperties: + path: groups.properties + groupsAttribute: Roles + userProperties: + path: users.properties + serverIdentities: + ssl: + keystore: + alias: "server" + path: "/etc/encrypt/transport/cert.p12" + password: "password" + truststore: + path: "/etc/encrypt/transport/cert.p12" + password: "password" + - name: metrics + # [METRICS] Security realm for the metrics endpoint. + propertiesRealm: + groupProperties: + path: metrics-groups.properties + relativeTo: infinispan.server.config.path + groupsAttribute: Roles + userProperties: + path: metrics-users.properties + relativeTo: infinispan.server.config.path + diff --git a/test/transport_tls_secret.yaml b/test/transport_tls_secret.yaml new file mode 100644 index 0000000..739acb2 --- /dev/null +++ b/test/transport_tls_secret.yaml @@ -0,0 +1,115 @@ +apiVersion: v1 +kind: Secret +metadata: + name: transport-tls-secret +type: Opaque +stringData: + # Create a secret to encrypt traffic between endpoints and clients. + # The secret must contain either a keystore or a TLS certificate/key pair. + # Specify an alias for the keystore. + alias: server + # Specify a password for the keystore. + password: password +data: + # Add a base64 encoded PKCS12 keystore. + cert.p12: "MIIKDgIBAzCCCdQGCSqGSIb3DQEHAaCCCcUEggnBMIIJvTCCBFcGCSqGSIb3DQEHBqCCBEgwggRE\ +AgEAMIIEPQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI0SFmZLO2udkCAggAgIIEEAi0AiOf\ +TGOWk7qxTbu8uckd1+hoRDvYyoEcBiigS6koRLfOhVotL+0bLS+xjl4WIS492+2h47Ew0tyK2/DP\ +izDOW+ybIepP3tnZr9OtUsW1AkgV88R+QqQjlvrXvVLaVEwBIN3OwZZ1OsQUDatfMKUkX67i9hX9\ +0ayE9idxgNPyPEJ5fpApvH1Gi9jKcLR+QJSBCbWw2MckrUC9al1/8Fp6aGjgy16bGhBc5Py02hC9\ +Oao4BYnMsg/HS4AuvHAIHD4hL9gd6jPCPnJ41mgA38ypEyoDxBDWYALoNpdkBLF6yqOYsl8OOdD7\ +XNxELqhF1KAUCRzzhFmXwBAtrQb/s+00TCPFBDhOi4tkABMqu/iAyb/17qh2hcnF1EoC8shyBKO3\ +gPVP5tj71Yzuih79wJ1VAXDnqezDZGLFHNI4toJewO4v3MZffi9L0tf3yPnlE2UB97jSrHUmbBGB\ +BMrOwo5GzjMPteQXfuzxpjkDmZJat6gXmC/+Zmpjh1iPpUh+pKkPCmSNG3s54A0tsr1yn4ekvuHb\ +BQmFarkS+BmUmXoNecEwjpjhiXiDwNov9ntDu66JExwY1Hb5kFrWfymxzkt89yGIqICwq/B3RuHI\ +w+ZSOQ2SV8ydwltgu0CTA6BFcY/C352NQqpvWWO4/L4XaN1iFaSSaE6mljGTD2HGhRx4AU2F3EuS\ +USMJWKP8dIqVstTNqQ1kDeo+cOKApZ6o1RhvqBLKIs7HlGDUilaczzmL8tp6PLxohPMUoNMHPrxH\ +mDc71nnV1Jy9lFVgnoEOXgzFLX7WjxS6fuRbTVejqtSEoxOQ5kVGuh1TNqBtzNRyAJxEFExzNCjf\ +RU+uiI0iMFSQPb/I2ZP0r18VhbpJoxuYthccBPdtTFuBGyh2lQbwXFXciao/rSatpYJcfY23+OZ7\ ++PVHx/PiyiP19DYL0wkXIIT8X/PnzQ2Idn0hPdidfXQp6eO+8Sio7EAcEw/jPv6T9yxfptTtll3H\ +0bOSxgQJdap32YKRzJ8a9amrPpXIP/04XEGaqA1KIVa9jlAWmtPSnjMBoa67wK0/6y1P92daFNxH\ +lzms09eJsUyOMbZ6uGhNn5VT2PLc5lJ2iBZ+9D54X+XSzpB/72Lau5uTfn1VtC8F2Lp7rY96OxHV\ +hFmS0oYiJ9B8uZgRdr3hxMdlvBBiJ10WhpQiWW6Brcqx/qfKnhvpBjWvBOgJPTor0F2tjmcbGOdq\ +NLRELkpLVpwW3hTyFf1NCwOnLvHhd+Ji5Df7ihxLFiOSLNi3dnsEoAAqwyxkhVUQfhnbPlwEhgN2\ +ZGbuD4mtTMT6p36uuW9GlLsqUjn8+tsUZy+EYbX66Oe7LTjc6zaVd9BSXV5VEGdxKhwz04N8adkv\ +XObwTE0RZ1WiMIIFXgYJKoZIhvcNAQcBoIIFTwSCBUswggVHMIIFQwYLKoZIhvcNAQwKAQKgggTu\ +MIIE6jAcBgoqhkiG9w0BDAEDMA4ECIpn2KNHrPtmAgIIAASCBMg/KMMjSDlXIUtA0LwssuLw0I8i\ +q0xnFNew5JAIZh7dE3cTUkUOuL2j/LFNyzyGiIE+1KlsHgyNDcCp0E7gpqTZ1dzsn1h4MIYjSab/\ +yx6LxLMBeYlEhXXJn2aadPpjVmtCi8/1GYGR0FGyzyEHpPRqJGS1CEKPMs9sacPV2Czx5kfz9Zq3\ +JUo+XuNxnjDVus/E/ilGjKewU3ocaWUl6rlpMALW9M0bclrcfFBdJhOHUBPKdMYSM5tnCcCd0zIR\ +Ci3mzl0JylPZ31vzwjMoXg/HSbpscBtkl8JdBCrLw05YP/Ew23LdqSEjJL4OKDZ3qvii/ErxHbmY\ +TVmERrX90n0hTov/n3I+zKnrQo90y02DAulIeayI+5mmkwaZA0pW8nDcuGA8YqKUd9QYw5L+B73C\ +wfgjARhnzqr0qNZ4L00cJW/z7opprDX5f2lBYcPksZnmVamZtnz4xy7R59uPp/K3lHDBRKerLzcc\ +pzDFAqRk+P71V0aPGSVx6G6KqlwOquffRe4FVQF+tM7Qz4wWYR9GJrleW2y/aIw2RdiYMyL0wxww\ +cYJSr/X0f6zfytbi7rmSUF2p/OZM4e+x3nhAQ9JPXkx81G2N3vWhr5grqgAyyoXqU1yRZB2tpNKC\ +JCQRqwSMWZEJQqVUtsWb7K+DJ4wp4fLCT5HBveFNEYWLSRGwtgZAE0pviyLfrjoulDENmjg3V3kB\ +4UMxD2+2qDnJba1BLLrGaYmchYrk+wwTOw18cvFJi3aw0OookIAc99I6R0ahox9HtC4trGtyDH9a\ +XlR1MXh7wRM1waOMBpJBIpMEEJOglmkbccT+Tue90hgBfmLRSBGSJXn9b5ysv0HFgdqcgGg3Trbd\ +Av1x7NVWX4ZHhgwU5VEtZn34HHghFKQAeN67YXcC7fVmj2N+sfYMXPNME71BGcRJXNkywf8zi8VG\ +EYYjw/neeF3EdkgY20OxeHRCmRAl3QoeT6HHIHMLmzbefa8PM9zrI4D4qHybv7Y4+yncVH0V7fkZ\ +vY1SAdR/ViNQIpBfu9XnBPlys1ua0ChVwCLWgZFPrZZZ7zlFCPoFjA5NY4fUhcYp5+qUel/wRWpf\ +QJCMZaCIuVOWrU1LblNEisrv7TPlgO0QUUd9hEU4rnsNhi2M1evEyvs0vh99F4gbgHLrZ09uskh9\ +xd/nrS7X2TWM/wzZtlJmxCp7cMf0c95J85d6Ul04Sh3UeNQNfW53prb7N7MLDU3wD1obMzoIUD8V\ +l8HkCAmsK/O6/2E3s/Ul27PCfFAyzGtLt9ROs4jOixw7U9jDp2lgYcMEw3us3QlujK+9v4akgZ2L\ +muuC7ZR4PAHWwBgXhbll0MszJwjqMGIJonACRJ6D5atrAX6xtT1sGtb5qrgK2Cr8snIfLzXsTItZ\ +LO38A4HO4KAiKWEQUqX8bZPGLcXwv40T+eVWUGkjRSbudGsWdP2TW1MVAnGkg8EkCh6m461crUDW\ +6qqN1SX7FhuVw+AYNx2wSA/y6BFPbGN13yyXE6eMOmaiCMo48shiq4XGPAoDVQc0evoV0pol2r/Z\ +ml2TpGvzglLwxOagHcgZhg/GgK5+GLS7Q+fRJTqEWFflGfPJbufBw8034/YSgmCbEBsrcKX9Mm65\ +bR3yKsH2nG8xQjAbBgkqhkiG9w0BCRQxDh4MAHMAZQByAHYAZQByMCMGCSqGSIb3DQEJFTEWBBTu\ +lpkrq3GNR8G+xtwNjl1Tmn929jAxMCEwCQYFKw4DAhoFAAQUXHJcz5qgvy8FMgIX/MYvjQx/QwkE\ +CKUEybBaG1X/AgIIAA==" + # Add a TLS key. + tls.key: "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZB\ +QVNDQktjd2dnU2pBZ0VBQW9JQkFRREdyeU45T2pYL05wUTkKTDQ0MkVjQzhuY0IyT0JRbGpnL0x6\ +WVhNZ1hOK2oxdlI1MUc4bHlsVlFuNytYd1RkZDZ4ZFhzMmtBTW5FdTVjSQpPR2N4N3FVTmZhWUtn\ +a1dRVTFCZXpHSmRkT1g2bm9rVktGTUpvVHU2ZXJYbG0zbG5JZlJ2N3JVa09manhvdk0vCmpMei93\ +MUpxbmZyZTVUcmZ1Q0hXdkdoekNocUhBWXpoN05BQ3p6cUlzQTY1eDdWSjRzM0o3Q05VTmI4TkZJ\ +ZlcKY2J1VGRHaVVTWllQMzZqVms1N3Z5b09yYkpTRmxxMDRhRXNwb3hBc3h4b1B4dlNyZm4yTlNa\ +VFZEZEx3YWVCRgo2YXYyamxKUVE5YTNhdnR2d2xoc3pEZ2k5d1ZBTGJYVDh6TzlGNUl6M3lBRFpO\ +cEpmdFBJZExEOGdWdktaZThxCjBpK2cwcUVaQWdNQkFBRUNnZ0VBSE9kUnBHQVpodDByeDVMcGYx\ +Z3B6OGFyUHdkOWR0RXAzeDR3L3NVK1JnVVkKK0hwTVc4RXAxQ3R1U2hjTW9DTk93ZTZPdi9NVlp6\ +ZGJDMmtaS2h4cmlvRGk3Tmh5d2tJOGlPMzJ5VjIrTHkxdApCOVRyNzVTekdiZk1TbkRKd29VZ0NF\ +Q1R2WWRwZmMyVTBZUHA0dE5KWkJWRGI3V3RVT3A2a2NDcStVRlpCcGFqClU1UWJhWUQxUTUveGdE\ +TXVxZksyNWJteFdhYjBuTnBxRG41Zkx6cGhLMnNLcFNkOFg1SmhkNEJ0ZW1wZittWjUKYzYvMjRw\ +UkI3dXNPQkFpQVluYjZzVFQ3RHhTeUw5Ym1hTkpGaG5iVFJSUEJCWnlTcVNoMnJqaG8rQUV6MjY4\ +LwpMaHovUms1VnNac2N0Vjk0UnB1RzFlYlhCQW1EVUNtN0pDYkZzWmtWbVFLQmdRRDBCZUNoZ01s\ +eS94dWdnSWZnCmE1TXl6MGxzRm1PSjJKZlluR0tMYUdiMWJuYTgrSWcrNXE3eE9qY1Y1bHNwMjZT\ +N2JpVnVXRXlTbDgzdWE0cWcKUGQzQlRkVnBUS2pJazVlSmxaYXg5aWlWeUYwcFBralNhSTBVMExB\ +RzdWbVJUNzY2K09naFh2T1JLZENCdll1cAp1K1N4MnZOK2x4S3pPeG82ZHU3dmpzSnBid0tCZ1FE\ +UWI1VnJNOFNlSGZzdjN3Sy9vQ1BlYXVscHhDMDUvVnhVCnhIQnp2Smtla2xuTkFMcXJOUUl2NHl3\ +VUs5dlBtcEx5M0JzcE9NcStKNDRDUXVtcm5YNXhLcTRBSTdXQnJOenAKVGQ1OGlGemg5dEt5bDRv\ +NmZSdlFQUWNBWWZmL3dieUF6cFJhRkU5bFRiTmVnOUQ3aS9GT2hDWWxlK3RmaUhLTgpMa2N4NGhZ\ +Sjl3S0JnUURhdFJIWmJrWWZUVW9EbG04eDB2akJCMHYxRmpQc2JqWGFMSCtlRnRxQWlwcmRUNXM5\ +ClZSL2lrSnlpZ2kyZTNIOU9oYkFDc0IwaEhmR3lDS3pjWmRhRTFDKzhDcnNUMmtSdFNhY2dwVkZH\ +dmFmUnVVTW4KWWhGZ1lKSUVBMkxOZkQyajhrYUs4a0UzRDlVVEUwRkR4V1Y1aXBYR0ZienE2c1Bk\ +Tm85OEllVlkvUUtCZ0JFego5SEFab0xPd0k4Z3FyczVrQ0RIV1B4ZUVvbnJ6eDBnVHduZzY2NlJU\ +VGVnV2xGR0hHWHdjVXNvRGFLdjB4UVlZClZvR0xkMmhFV1hza1RLYm1ZOFl4VUpVZ1hWMnJoN3dW\ +dWpRckNRZDVXS0IyMDJqS1pKNUdPeXF6NjBVSGwyaEcKSklaZXdNTEtxL0EwRHU2RCtWR1NwSmRa\ +Wis3Rmt6YkZ5QWg4OFhhM0FvR0FCN01OUjBQdHh6VkFPUWJ4Z21DZQoxUGJlN1BSNW9xOTN0YnZ3\ +NGVnNXhrWW5maWhuemR6c1hsTTQ0Z1MyY2QvRXZnc3UwR2s4RzIwaWQ2bWJkRDZmCjg0TXNFdnYz\ +ci9qVTliYllReFdhUXZhY0o5SzdUdUNndFhFbkJBWmc2Q0d6RVBvckhpcUlHbFcrTGtobUFHVWcK\ +S2JkRERURUFIUlh0VGg5bjFUSU9YbEU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K" + # Add a TLS certificate. + tls.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURrekNDQW51Z0F3SUJBZ0lVZUtneEFpVTlw\ +WW9jYkxQY0MvcTFIZ21OUUlFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1dURUxNQWtHQTFVRUJoTUNh\ +WFF4Q3pBSkJnTlZCQWdNQW0xcE1Rc3dDUVlEVlFRSERBSnRhVEVUTUJFRwpBMVVFQ2d3S2FXNW1h\ +VzVwYzNCaGJqRU1NQW9HQTFVRUN3d0RaVzVuTVEwd0N3WURWUVFEREFScGMzQnVNQjRYCkRURTVN\ +RGt4TWpFeU1ERXlNVm9YRFRJNU1Ea3dPVEV5TURFeU1Wb3dXVEVMTUFrR0ExVUVCaE1DYVhReEN6\ +QUoKQmdOVkJBZ01BbTFwTVFzd0NRWURWUVFIREFKdGFURVRNQkVHQTFVRUNnd0thVzVtYVc1cGMz\ +QmhiakVNTUFvRwpBMVVFQ3d3RFpXNW5NUTB3Q3dZRFZRUUREQVJwYzNCdU1JSUJJakFOQmdrcWhr\ +aUc5dzBCQVFFRkFBT0NBUThBCk1JSUJDZ0tDQVFFQXhxOGpmVG8xL3phVVBTK09OaEhBdkozQWRq\ +Z1VKWTRQeTgyRnpJRnpmbzliMGVkUnZKY3AKVlVKKy9sOEUzWGVzWFY3TnBBREp4THVYQ0Robk1l\ +NmxEWDJtQ29KRmtGTlFYc3hpWFhUbCtwNkpGU2hUQ2FFNwp1bnExNVp0NVp5SDBiKzYxSkRuNDhh\ +THpQNHk4LzhOU2FwMzYzdVU2MzdnaDFyeG9jd29haHdHTTRlelFBczg2CmlMQU91Y2UxU2VMTnll\ +d2pWRFcvRFJTSDFuRzdrM1JvbEVtV0Q5K28xWk9lNzhxRHEyeVVoWmF0T0doTEthTVEKTE1jYUQ4\ +YjBxMzU5alVtVTFRM1M4R25nUmVtcjlvNVNVRVBXdDJyN2I4SlliTXc0SXZjRlFDMjEwL016dlJl\ +UwpNOThnQTJUYVNYN1R5SFN3L0lGYnltWHZLdEl2b05LaEdRSURBUUFCbzFNd1VUQWRCZ05WSFE0\ +RUZnUVV3d3N3Ck0ycjY3MVZjR1R5L083WkllZXJnTUVBd0h3WURWUjBqQkJnd0ZvQVV3d3N3TTJy\ +NjcxVmNHVHkvTzdaSWVlcmcKTUVBd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBTkJna3Foa2lHOXcw\ +QkFRc0ZBQU9DQVFFQWhvb3IxbWlPWFBnVQpmMDJQRG9yN1lXdlhCNTllcEpxTzlQVENlK0l4cmps\ +VDROWEZHb1VoOTdQSFVBY3R5cnBScnM1UWRZNncxbWFyClY3UWdhSFZMaGtXWFRlb01vY1hYOERV\ +UkZvRHJoS0wrcWhsUlBoNTZVdDRLVEdCS1UyK0p5UzNsVklQc3J4MnkKUXZFOHFYNWhOVDdFU2JM\ +c3l6aHNoUXdSbjlQRXJ4b3NoeGhwUEkySnRIeFN6Y2U5V1VvMkd6TUlYd3VwMTJwTQpJTFZoWmF2\ +d0xzd1RXbzBYemlaVVRNaWxkQys0U0gxZmRTb1M5aG9rdllZOEpJc1orT1RvYTFYRmY3LzkySytN\ +CnZ3b29JK0FsTWQvNXpCNW9weVI1MjdlYVQyaE9vQ0s4d1IyL0VNNjh2OTdacHVVWG5ySkhzYity\ +ZENIQVdVdXkKT05hUFJSUjNydz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" diff --git a/values.schema.json b/values.schema.json index 9baf827..0a71230 100644 --- a/values.schema.json +++ b/values.schema.json @@ -166,6 +166,24 @@ "null" ] }, + "ssl": { + "description": "Setup for encryption.", + "type": [ + "object" + ], + "required": [ + "endpointSecretName" + ], + "properties": { + "endPointSecretName": { + "description": "Specifies the name of a secret that contains TLS certificate", + "type": [ + "string", + "null" + ] + } + } + }, "nodeSelector": { "description": "Defines the nodeSelector policy used by the cluster's StatefulSet", "type": [ @@ -368,7 +386,83 @@ "array", "null" ] - } + }, + "infinispan": { + "description": "Infinispan cluster configuration", + "type": [ + "object", + "null" + ], + "properties": { + "server": { + "description": "Infinispan server configuration", + "type": [ + "object", + "null" + ], + "properties": { + "security": { + "description": "Security configuration", + "type": [ + "object", + "null" + ], + "properties": { + "securityRealms": { + "description": "Security Realms configuration", + "type": [ "array", + "null" + ], + "items": { + "properties": { + "name": { + "type": "string" + }, + "serverIdentities": { + "description": "Configuration for server identities", + "type": [ + "object" + ], + "properties": { + "ssl": { + "type": [ + "object" + ], + "properties": { + "keystore": { + "type": [ + "object" + ], + "properties": { + "alias": { + "type": "string", + "minLength": 1 + }, + "path": { + "type": "string", + "minLength": 1 + }, + "password": { + "type": "string", + "minLength": 1 + } + }, + "required": ["alias","path","password"] + + } + } + } + } + } + } + } + } + } + } + } + } + } + } }, "type": [ "object", diff --git a/values.schema.json.tpl b/values.schema.json.tpl index 71e963d..7b1efb5 100644 --- a/values.schema.json.tpl +++ b/values.schema.json.tpl @@ -166,6 +166,24 @@ "null" ] }, + "ssl": { + "description": "Setup for encryption.", + "type": [ + "object" + ], + "required": [ + "endpointSecretName" + ], + "properties": { + "endPointSecretName": { + "description": "Specifies the name of a secret that contains TLS certificate", + "type": [ + "string", + "null" + ] + } + } + }, "nodeSelector": { "description": "Defines the nodeSelector policy used by the cluster's StatefulSet", "type": [ @@ -368,7 +386,83 @@ "array", "null" ] - } + }, + "infinispan": { + "description": "Infinispan cluster configuration", + "type": [ + "object", + "null" + ], + "properties": { + "server": { + "description": "Infinispan server configuration", + "type": [ + "object", + "null" + ], + "properties": { + "security": { + "description": "Security configuration", + "type": [ + "object", + "null" + ], + "properties": { + "securityRealms": { + "description": "Security Realms configuration", + "type": [ "array", + "null" + ], + "items": { + "properties": { + "name": { + "type": "string" + }, + "serverIdentities": { + "description": "Configuration for server identities", + "type": [ + "object" + ], + "properties": { + "ssl": { + "type": [ + "object" + ], + "properties": { + "keystore": { + "type": [ + "object" + ], + "properties": { + "alias": { + "type": "string", + "minLength": 1 + }, + "path": { + "type": "string", + "minLength": 1 + }, + "password": { + "type": "string", + "minLength": 1 + } + }, + "required": ["alias","path","password"] + + } + } + } + } + } + } + } + } + } + } + } + } + } + } }, "type": [ "object", diff --git a/values.yaml b/values.yaml index 007b2f4..89d0c5a 100644 --- a/values.yaml +++ b/values.yaml @@ -49,7 +49,6 @@ deploy: security: secretName: "" batch: "" - expose: # [USER] Specify `type: ""` to disable network access to clusters. type: Route @@ -89,6 +88,10 @@ deploy: securityContext: fsGroup: 185 + ssl: + endpointSecretName: "" + transportSecretName: "" + infinispan: cacheContainer: # [USER] Add cache, template, and counter configuration.